FBI alerts Barracuda customers after ineffective patch

Email symbols imposed on a digital themed background
(Image credit: Getty Images)

Barracuda email security gateway (ESG) users have been warned that appliances are still at high risk of compromise due to an “ineffective” patch for flaws issued in May. 

In a security notice this week, the FBI revealed that an investigation into the exploitation of CVE-2023-2868 found that although a patch had been issued for vulnerable appliances, there still remains a “risk for continued computer network compromise”.

“Through an investigation of the Barracuda ESG appliance compromise, the FBI discovered additional indicators of compromise, as well as independently verified many of the indicators of compromise in the public domain,” the agency said in its notice.

Barracuda issued a patch for all affected appliances in late May after discovering the vulnerability. The company said at the time it believed the flaw had been actively exploited for “several months” dating back to October 2022.

The vulnerability enabled threat actors to obtain “unauthorized access to a subset of ESG appliances”, and attackers were found to have deployed two malware strains, dubbed ‘Saltwater’ and ‘Seaspy’, on the affected devices.


Whitepaper cover with red and white title over a black and white image of a businessman stood looking out of an office window

(Image credit: Mimecast)

Discover the business and personal implications of ransomware, and how organizations are defending against attacks today.


Barracuda later advised customers to replace affected appliances after an investigation found it couldn’t guarantee user safety or the removal of said malware.

“Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG,” the company said at the time. “Impacted ESG appliances must be immediately replaced regardless of patch version level.”

The FBI’s latest update echoes Barracuda’s advisory to customers, urging them to remove affected devices.

“The patches released by Barracuda in response to this CVE were ineffective,” the agency said. “Barracuda customers should remove all ESG appliances immediately.”

The agency also advised users to investigate signs of further exploitation by referring to its list of compromise indicators and “conducting scans for outgoing connections”

“Customers who used enterprise privileged credentials for management of their Barracuda appliances (such as Active Directory Domain Admin) should immediately take incident investigation steps to verify the use and behavior of any credentials used on their devices.”

Chinese-linked exploitation

Analysis from Mandiant suggests that Chinese-linked threat actors have been involved in exploiting the flaw. A group dubbed ‘UNC4841 was identified as the culprit behind the attacks on the affected devices, the security firm said.

“Since our initial reporting in June, UNC4841 has been deploying new and novel malware to a small subset of high priority targets following the remediation of CVE-2023-2868,” said Mandiant CEO Kevin Mandia.

“This actor continues to show sophistication and adaptability through deep preparedness and custom tooling, enabling its global espionage operations to span across public and private sectors worldwide.”

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.